GitHub revealed More details about seven vulnerabilities in packages tar and @ NPMCLI / Arborist providing features for working with TAR archives and calculating the dependency tree in node.js. Vulnerabilities allow when unpacking a specially decorated archive to overwrite files outside the root directory in which unpacking is carried out as far as the current access rights allow. Problems make it possible to organize the execution of an arbitrary code in the system, for example, through the addition of commands in ~ / .bashrc or ~ / .profile when performing an operation from an unprivileged user or through the replacement of system files when started with ROOT rights.
Danger of vulnerabilities is exacerbated by the fact that the problem code is used in the NPM batch manager when operating with NPM packets, which allows you to organize an attack on users, placing a specially decorated NPM package in the repository, when processing which the intruder code will be executed in the system. The attack is possible even when installing packets in “–GNore-Scripts” mode, disabled execution of embedded scripts. Total NPM affects four vulnerabilities ( CVE-2021-32804 , cve-2021-37713 , CVE-2021-39134 and CVE-2021-39135 ) From seven. The first two problems relate to the TAR package, and the other two packages @ NPMCLI / Arborist.
The most dangerous Vulnerability CVE-2021-32804 is caused by That when cleaning the absolute paths specified in the TAR archive incorrectly processed by repeating characters “/” – only the first character is removed, and the rest are left. For example, the path “/home/user/.bashrc” will be converted to “home / user / .bashrc”, and the path “https: //home/user/.bashrc” in “/home/user/.bashrc”.
The second vulnerability CVE-2021-37713 manifests itself only on the Windows platform and is connected With incorrect cleaning of relative paths, including a non-dedicated disk symbol (“C: SOME PATH”) and a sequence to return to the previous directory (“C: .. FOO”).
CVE-2021-39134 and CVE-2021-39135 Specified for module @ NPMCLI / Arborist. The first problem is manifested only on systems that do not distinguish the character register in FS (MacOS and Windows), and allows you to record files into an arbitrary part of the FS, specifying the following dependences two “Foo” modules: “File: / Some / Path” and ‘ Foo: “File: Foo.tgz” ”, the processing of which will delete the contents of the / SOME / PATH directory and write the contents of foo.tgz. The second problem allows you to overwrite files through manipulation with symbolic references.